Logo
Sign in
  1. Logpoint Service Desk
  2. Products Hub
  3. Marketplace
app-115003788929.png

McAfee EPO

McAfee EPO normalizes McAfee EPO events and enables you to analyze the attack summary, threats, firewall activities, and attack severities using dashboards.

For Logpoint version:

7.4.0 or later6.7.0 or later 6.0.0 to 6.6.6
Release Details
Version:5.2.0
Supported On: Logpoint v7.4.0 or later for log source template
Release date: May 07, 2024
SHA 256: 03cb85c4cd9823c5171e126e2f07caf83ee141b33ec5e2190ca4d93348b59ed4
Download

Package Details

The application consists of the following components:

  1. Dashboard Packages
    • LP_McAfee Antivirus Overview 
    • LP_McAfee Antivirus Activity
  2. Normalization Packages
    • LP_McAfee EPO Antivirus DB Generic 
    • LP_McAfee EPO XML 
    • LP_McAfee EPO Antivirus 
    • LP_McAfee EPO Antivirus DB 
    • LP_McAfee VSE 
  3. Label Package
    • LP_McAfee EPO Antivirus DB 

Enhancement

Description Issue ID Reference ID
Added Syslog Collector based Trellix McAfee log source template, simplifying the log source configuration process. To learn more, go to Creating Log Source via a Template. KB-22688 -

 

 

 

Installation 

To install McAfee EPO v5.1.0:

Case I: Syslog Collector

  1. Download the McAfee EPO package from the Download section in the Release Details table.
  2. Add McAfee EPO as a required device in LogPoint.
  3. Create a collection policy with the Syslog collector and an appropriate processing policy. 
  4. Assign the policy to the device.
  5. Add the dashboard.

Case II: ODBC Fetcher

  1. Download the Trend Micro DB package from the Download section in the Release Details table..
  2. Add McAfee EPO as a required device in LogPoint.
  3. Configure ODBC fetcher. To learn more, go to the Configuring the ODBC Fetcher for McAfee EPO in the McAfee EPO v5.1.0 guide.
  4. Assign the policy to the device.
  5. Add the dashboard.

McAfee Dashboards

mcafee1.png

mcafee2.png

Supported Device

McAfee EPO

Log Formats

Expected Log Format Sample

McAfee EPO (Syslog Collector)

CEF

<9>CEF:0|McAfee EPO|VirusScan Enterprise|8.8|1092|Solidcore<Test Send threat events to Syslog Server> alert|2|alertId=1092 alertName=Test Send threat events to Syslog Server alertType='File' class or access eventType=SolidcoreEvent host=LOGPOINT eventname=Anti-virus Standard Protection:Prevent remote creation of autorun files workflowid= eventTimestamp=06/03/13 08:38:36 UTC eventObject=H:\PROJECTS\ISFDY\BD DEFENSE\SALES\PROPOSALS\COUNTRY\EDGYPT\EGYPT FAC-M\OBSOLETE\RWM - MASS(TM) (D)\AUTORUN.INF eventProgramName= eventProgramUser=SYSTEM

Expected Log Format Sample

McAfee EPO (ODBC  Fetcher)

Semicolon-separated

"36172608";"2014-10-21 06:55:39.963000";"none";"none";"1119";"ops.update.end";"4";"2014-10-21 06:00:24";"None";"AutoUpdate";"none";"True";"SYSTEM";"jria";"DCCAT";"DC014134"; "DC014134";

"DC014134.DCCAT.DK" ;"10.11.0.82";"";"001f1639e203";"Windows 8.1";"Service Pack 1";"6.1";"7601";"Rom, normaltid";"None";"10.11.0.68";"None";"None";"None";"None";"1";"VirusScan Enterprise";"8.8";"5600.1067";"5600.1067";"7597.0000";"N/A";"5600.1067";

"2";"8.8.0.975.Wrk";"";

Expected Log Format Sample

McAfee EPO 

XML

<29>May 12 01:11:44 XXXXX EPOEvents <?xml version="1.0" encoding="UTF-8"?><SCORData><MachineInfo><MachineName>ABC1234</MachineName><AgentGUID>{64c1dd34-f3bc-11e8-00ee-2XXXXXXXXXXX}</AgentGUID><IPAddress>1.1.1.1</IPAddress><OSName>Windows 8 Workstation</OSName><UserName>SYSTEM</UserName><TimeZoneBias>-120</TimeZoneBias><RawMACAddress>242ffa151533</RawMACAddress></MachineInfo><SCORSoftware ProductName="XYZ" ProductVersion="8.0.0" ProductFamily="Secure"><SCOREvent><EventID>20719</EventID><Severity>1</Severity><GMTTime>2022-05-12T13:11:17</GMTTime><SCORevent_name>WRITE_DENIED</SCORevent_name><SCORevt_id>20</SCORevt_id><SCORevt_type>EVT_CAT_TYPE_MAJOR</SCORevt_type><SCORevt_sink>7</SCORevt_sink><SCORseq_no>401234</SCORseq_no><SCORtime_stamp>1589289077527</SCORtime_stamp><SCORserver_state>0</SCORserver_state><SCORuser_name>NT AUTHORITY\SYSTEM</SCORuser_name><SCORprocess_name>C:\windows\abc\abc.exe</SCORprocess_name><SCORprocess_id>2408</SCORprocess_id><SCORfile_name>C:\Windows\abc\ABC.dll</SCORfile_name><SCORprocess_sha1>3342761485c5aed17bc5dabd34219e4cbf836b9b</SCORprocess_sha1><SCORprocess_md5>edf009f55cd092

8009c5c05780616e3d</SCORprocess_md5><SCORprocess_sha256>9bfa82f4c09461c3452b4edc5fd5de32e37d135ff4db3f6762b

706928ae1ed50</SCORprocess_sha256></SCOREvent></SCORSoftware></SCORData>#015

Release Details
Version:5.1.0
Supported On: LogPoint v6.7.4 and later
Release date:2022-04-13
Document date:2022-04-13
SHA 256: a9816fe5ce7b89fe5afcd21197842244ca6668b9cd4f000e2664c86b7f132af5
Documentation: McAfee EPO v5.1.0.guide
Download

Package Details

The application consists of the following components:

  1. Dashboard Packages
    • LP_McAfee Antivirus Overview 
    • LP_McAfee Antivirus Activity
  2. Normalization Packages
    • LP_McAfee EPO Antivirus DB Generic 
    • LP_McAfee EPO XML 
    • LP_McAfee EPO Antivirus 
    • LP_McAfee EPO Antivirus DB 
    • LP_McAfee VSE 
  3. Label Package
    • LP_McAfee EPO Antivirus DB 

Enhancement

Description Issue ID Reference ID
Renamed the severity field as severity_level in McAfeeEPOXMLCompiledNormalizer. KB-10891 46765
Updated LP_McAfee EPO XML to support events from McAfee ePolicy Orchestrator.
Added new signatures in the McAfeeEPODBCompiledNormalizer to normalize McAfee EPO Antivirus logs. KB-10757 44911

 

Bug Fixes

The following issues are fixed:

Description
Issue ID
Reference ID
Some McAfeeEPO logs were not normalized by LP_McAfee EPO XML. KB-15680 62907

The analyzer_host, source_host, and destination_host fields were mapped to the host field. 

KB-15635

62489

The TargetUserName and UserName field were mapped to the user field. 

 

Installation 

To install McAfee EPO v5.1.0:

Case I: Syslog Collector

  1. Download the McAfee EPO package from the Download section in the Release Details table.
  2. Add McAfee EPO as a required device in LogPoint.
  3. Create a collection policy with the Syslog collector and an appropriate processing policy. 
  4. Assign the policy to the device.
  5. Add the dashboard.

Case II: ODBC Fetcher

  1. Download the Trend Micro DB package from the Download section in the Release Details table..
  2. Add McAfee EPO as a required device in LogPoint.
  3. Configure ODBC fetcher. To learn more, go to the Configuring the ODBC Fetcher for McAfee EPO in the McAfee EPO v5.1.0 guide.
  4. Assign the policy to the device.
  5. Add the dashboard.

McAfee Dashboards

mcafee1.png

mcafee2.png

Supported Device

McAfee EPO

Log Formats

Expected Log Format Sample

McAfee EPO (Syslog Collector)

CEF

<9>CEF:0|McAfee EPO|VirusScan Enterprise|8.8|1092|Solidcore<Test Send threat events to Syslog Server> alert|2|alertId=1092 alertName=Test Send threat events to Syslog Server alertType='File' class or access eventType=SolidcoreEvent host=LOGPOINT eventname=Anti-virus Standard Protection:Prevent remote creation of autorun files workflowid= eventTimestamp=06/03/13 08:38:36 UTC eventObject=H:\PROJECTS\ISFDY\BD DEFENSE\SALES\PROPOSALS\COUNTRY\EDGYPT\EGYPT FAC-M\OBSOLETE\RWM - MASS(TM) (D)\AUTORUN.INF eventProgramName= eventProgramUser=SYSTEM

Expected Log Format Sample

McAfee EPO (ODBC  Fetcher)

Semicolon-separated

"36172608";"2014-10-21 06:55:39.963000";"none";"none";"1119";"ops.update.end";"4";"2014-10-21 06:00:24";"None";"AutoUpdate";"none";"True";"SYSTEM";"jria";"DCCAT";"DC014134"; "DC014134";

"DC014134.DCCAT.DK" ;"10.11.0.82";"";"001f1639e203";"Windows 8.1";"Service Pack 1";"6.1";"7601";"Rom, normaltid";"None";"10.11.0.68";"None";"None";"None";"None";"1";"VirusScan Enterprise";"8.8";"5600.1067";"5600.1067";"7597.0000";"N/A";"5600.1067";

"2";"8.8.0.975.Wrk";"";

Expected Log Format Sample

McAfee EPO 

XML

<29>May 12 01:11:44 XXXXX EPOEvents <?xml version="1.0" encoding="UTF-8"?><SCORData><MachineInfo><MachineName>ABC1234</MachineName><AgentGUID>{64c1dd34-f3bc-11e8-00ee-2XXXXXXXXXXX}</AgentGUID><IPAddress>1.1.1.1</IPAddress><OSName>Windows 8 Workstation</OSName><UserName>SYSTEM</UserName><TimeZoneBias>-120</TimeZoneBias><RawMACAddress>242ffa151533</RawMACAddress></MachineInfo><SCORSoftware ProductName="XYZ" ProductVersion="8.0.0" ProductFamily="Secure"><SCOREvent><EventID>20719</EventID><Severity>1</Severity><GMTTime>2022-05-12T13:11:17</GMTTime><SCORevent_name>WRITE_DENIED</SCORevent_name><SCORevt_id>20</SCORevt_id><SCORevt_type>EVT_CAT_TYPE_MAJOR</SCORevt_type><SCORevt_sink>7</SCORevt_sink><SCORseq_no>401234</SCORseq_no><SCORtime_stamp>1589289077527</SCORtime_stamp><SCORserver_state>0</SCORserver_state><SCORuser_name>NT AUTHORITY\SYSTEM</SCORuser_name><SCORprocess_name>C:\windows\abc\abc.exe</SCORprocess_name><SCORprocess_id>2408</SCORprocess_id><SCORfile_name>C:\Windows\abc\ABC.dll</SCORfile_name><SCORprocess_sha1>3342761485c5aed17bc5dabd34219e4cbf836b9b</SCORprocess_sha1><SCORprocess_md5>edf009f55cd092

8009c5c05780616e3d</SCORprocess_md5><SCORprocess_sha256>9bfa82f4c09461c3452b4edc5fd5de32e37d135ff4db3f6762b

706928ae1ed50</SCORprocess_sha256></SCOREvent></SCORSoftware></SCORData>#015

Release Details
Version:3.2.0
Supported On: Logpoint v6.0.0 to v6.6.6
Release date:2020-05-14
Document date:2020-05-14
SHA 256: 73171aa61fdd48846b54b584d5a7725853eff4cb62b1a8fc7cc756458c00fe40
Download

Package Details

The application consists of the following components:

  1. Dashboard Packages
    • LP_McAfee Antivirus Overview 
    • LP_McAfee Antivirus Activity
  2. Normalization Packages
    • LP_McAfee EPO Antivirus DB Generic 
    • LP_McAfee EPO XML 
    • LP_McAfee EPO Antivirus 
    • LP_McAfee EPO Antivirus DB 
    • LP_McAfee VSE 
  3. Label Package
    • LP_McAfee EPO Antivirus DB 

Enhancement

A minor update has been done in the application’s normalizer for better signature handling. 

Installation 

Follow these steps to install the McAfee EPO v3.2.0 plugin:

Case I: Syslog Collector

  1. Download the McAfee EPO package from the Download section above.
  2. Add McAfee EPO as the required device in LogPoint.
  3. Create a collection policy with the Syslog collector and appropriate processing policy. 
  4. Assign the policy to the device.
  5. Add the dashboard.

Case II: ODBC Fetcher

  1. Download the Trend Micro DB package from the Download section above.
  2. Add McAfee EPO as the required device in LogPoint.
  3. Configure ODBC fetcher with the details listed in the Configuration of Sources section.
  4. Assign the policy to the device.
  5. Add the dashboard.

Screenshots

mcafee1.png

mcafee2.png

Supported Device

The supported device of McAfee EPO with LogPoint in this configuration is:

  • McAfee EPO

Log Formats

McAfee EPO (Syslog Collector)

Expected Log Format

CEF

Log Sample

<9>CEF:0|McAfee EPO|VirusScan Enterprise|8.8|1092|Solidcore<Test Send threat events to Syslog Server> alert|2|alertId=1092 alertName=Test Send threat events to Syslog Server alertType='File' class or access eventType=SolidcoreEvent host=LOGPOINT eventname=Anti-virus Standard Protection:Prevent remote creation of autorun files workflowid= eventTimestamp=06/03/13 08:38:36 UTC eventObject=H:\PROJECTS\ISFDY\BD DEFENSE\SALES\PROPOSALS\COUNTRY\EDGYPT\EGYPT FAC-M\OBSOLETE\RWM - MASS(TM) (D)\AUTORUN.INF eventProgramName= eventProgramUser=SYSTEM

McAfee EPO (ODBC  Fetcher)

Expected Log Format

Semicolon-separated

Log Sample

"36172608";"2014-10-21 06:55:39.963000";"none";"none";"1119";"ops.update.end";"4";"2014-10-21 06:00:24";"None";"AutoUpdate";"none";"True";"SYSTEM";"jria";"DCCAT";"DC014134";"DC014134";"DC014134.DCCAT.DK";"10.11.0.82";"";"001f1639e203";"Windows 8.1";"Service Pack 1";"6.1";"7601";"Rom, normaltid";"None";"10.11.0.68";"None";"None";"None";"None";"1";"VirusScan Enterprise";"8.8";"5600.1067";"5600.1067";"7597.0000";"N/A";"5600.1067";"2";"8.8.0.975.Wrk";"";

Configuration of McAfee EPO (ODBC Fetcher)

  • Driver: MSSQL2
  • Port: 1433
  • Database: Mcafee Database
  • Username: 
  • Password:
  • Incremental Key: A unique key used as a pointer to read data from the table. The default value is AutoID.
  • Incremental Key Table: Table to which the incremental key belongs to. The default value is EPOEvents.
  • New Line Separator: Used for cases that have newline characters embedded in the log entries. In other cases, this can be discarded. 
  • Query: This is used to fetch data from the table(s). The query may be simple or based on joins. The default query is:

SELECT [EPOEvents].[AutoID], [EPOEvents].[ReceivedUTC] as [timestamp], [EPOEvents].[ThreatName] as [signature], [EPOEvents].[ThreatType] as [threat_type], [EPOEvents].[ThreatEventID] as [signature_id], [EPOEvents].[ThreatCategory] as [category], [EPOEvents].[ThreatSeverity] as [severity_id], [EPOEvents].[DetectedUTC] as [detected_timestamp], [EPOEvents].[TargetFileName] as [file_name], [EPOEvents].[AnalyzerDetectionMethod] as [detection_method], [EPOEvents].[ThreatActionTaken] as [vendor_action], [EPOEvents].[ThreatHandled] as [threat_handled], [EPOEvents].[TargetUserName] as [target_user], [EPOComputerProperties].[UserName] as [user], [EPOComputerProperties].[DomainName] as [dest_nt_domain], [EPOEvents].[TargetHostName] as [dest_dns], [EPOEvents].[TargetHostName] as [dest_nt_host], [EPOComputerProperties].[IPHostName] as [fqdn], [dest_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),4,1))) ), [EPOComputerProperties].[SubnetMask] as [dest_netmask], [EPOComputerProperties].[NetAddress] as [dest_mac], [EPOComputerProperties].[OSType] as [os], [EPOComputerProperties].[OSServicePackVer] as [sp], [EPOComputerProperties].[OSVersion] as [os_version], [EPOComputerProperties].[OSBuildNum] as [os_build], [EPOComputerProperties].[TimeZone] as [timezone], [EPOEvents].[SourceHostName] as [src_dns], [src_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ), [EPOEvents].[SourceMAC] as [src_mac], [EPOEvents].[SourceProcessName] as [process], [EPOEvents].[SourceURL] as [url], [EPOEvents].[SourceUserName] as [caller_user], [EPOComputerProperties].[IsPortable] as [is_laptop], [EPOEvents].[AnalyzerName] as [product], [EPOEvents].[AnalyzerVersion] as [product_version], [EPOEvents].[AnalyzerEngineVersion] as [engine_version], [EPOEvents].[AnalyzerEngineVersion] as [dat_version], [EPOProdPropsView_VIRUSCAN].[datver] as [vse_dat_version], [EPOProdPropsView_VIRUSCAN].[enginever64] as [vse_engine64_version], [EPOProdPropsView_VIRUSCAN].[enginever] as [vse_engine_version], [EPOProdPropsView_VIRUSCAN].[hotfix] as [vse_hotfix], [EPOProdPropsView_VIRUSCAN].[productversion] as [vse_product_version], [EPOProdPropsView_VIRUSCAN].[servicepack] as [vse_sp] FROM [EPOEvents] left join [EPOLeafNode] on [EPOEvents].[AgentGUID] = [EPOLeafNode].[AgentGUID] left join [EPOProdPropsView_VIRUSCAN] on [EPOLeafNode].[AutoID] = [EPOProdPropsView_VIRUSCAN].[LeafNodeID] left join [EPOComputerProperties] on [EPOLeafNode].[AutoID] = [EPOComputerProperties].[ParentID]


Support

If you have any queries or require assistance, please feel free to contact our support team:

Email: servicedesk@logpoint.com
Phone: +45 7060 6100

Best regards,
untitled.svg

Comments

  • Avatar
    Faizal Dagia
    April 03, 2018 14:27

    Please confirm is the instruction in the post is correct:

    "Download the Trend Micro DB package from the customer site"

    Since EPO uses does it not require MS SQL fetcher?

    Comment actions Permalink
  • Avatar
    Joakim Wahlgren
    April 02, 2019 08:55

    Please update this page to include a zip as seen here https://servicedesk.logpoint.com/hc/en-us/articles/115003783925

    Comment actions Permalink

Article is closed for comments.

Follow

Related articles

  • Meru
  • Microsoft IIS
  • LOGbinder
  • S3 Fetcher
  • Template injection in Search Template
Privacy policy    EULA    Terms of service   
Copyright © , Logpoint. All rights reserved.

Note: We use cookies that are essential for the smooth functioning of our website.